[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Re: DNS? was Re: Key Management, an

To: ipsec@TIS.COM
Subject: Re: "Re: DNS? was Re: Key Management, an
From: David Wheeler-P26179 <David_Wheeler-P26179@email.mot.com>
Date: Wed, 14 Aug 1996 11:53:42 -0500
Sender: ipsec-approval@neptune.tis.com
X400-Mts-Identifier: [ /P=MOT/A=MOT/C=US/ ; m\gstmd\960814115342d ]

Paul Lambert writes:

>Hilarie, 
> 
>On you assertion: 
> 
>>Clarified Assertion: 
>>The minimal basis for authentication is the association  
>>of a public key with an IP address.  The minimal  
>>authentication chain is through DNS zone authorities. 
> 
>I have always viewed the minimum information to be a "name"...  Perhaps I'm 
>wrong, but your assertion provides clarity to the discussions and this an 
>issue that needs resolution. So ... 
> 
>A Different Assertion: 
> 
>The minimal basis for authentication is the association  
>of a public key with a name that can be used to support access control 
>decisions. 
> 
>IP addresses may be dynamically assigned and are not as useful as "names" in 
>supporting end system security.   

I have a problem with this as a basis for authentication also.  If I am 
"dialed-in" through my ISP, and receive a dynamic address, I don't have a DNS 
entry, hostname, or otherwise.  In fact, the only thing I really have is an e-
mail address.  The question that really needs to be asked is:

    "What am I authenticating:
        a person,
        a machine/host,
        or a network entrypoint?

I can make a case for all three given different security policies, and 
different security perspectives.

The personal authentication is intuitive (but I'll clarify anyway); a 
particular application only allows named users and specific authenticated 
users to access it's services (e.g. a library database server only wants 
John Smith to have access - because he paid his bill - we don't want to 
allow anyone from joesmidnightisp.com [John's ISP provider] to have 
access).

Host authentication is most common (did I really get to host XYZ.ABC.COM ?).  
This is the perspective of a client accessing a server. Can I be sure that 
the newest beta version of Netscape I just downloaded is from the 
Netscape server?

Network entrypoint authentication is the opposite perspective.  The host 
wants authentication of the origin of access.  It is common to restrict a 
host to be accessed from only certain locations - we do this all the time 
with network management using various techniques (called-back using modems 
etc.)

What about the network manager that wants full access from home through his/
her ISP to correct network problems at 2 AM? We surely want VERY strong 
authentication that this is really the network manager and not Bobby Hacker.

I don't have a really good a solution - I need to think about it some 
more.  Regardless, all types of authentication will be important, and neither 
IP address nor hostname covers all three.  Maybe the best thing to do is 
say all three types of authentication will be handled by different 
certificates. 

Is it sufficient to say that authentication is based on an e-mail address 
(personal), hostname, OR an IP address (network entrypoint)?  Then the 
application/service which is accepting the authenticated identity must 
determine if this binding is sufficient authentication for the particular 
activity/access/application?

Then the minimal basis for authentication is the association of a public key 
with an e-mail address, a hostname, or an IP address that can be used to 
support access control decisions.

Comments?

Dave Wheeler
Information Security Operations
Space and Systems Technology Group, Motorola
Scottsdale, Arizona

Prev by Date: Re: "Re: DNS? was Re: Key Management, anyone?"
Next by Date: Re: DNS? was Key Management
Prev by thread: PF_KEY paper
Next by thread: Re: DNS? was Key Management
Index(es):
- Main
- Thread